[
https://issues.apache.org/jira/browse/WICKET-1303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12577069#action_12577069
]
Mika Salminen commented on WICKET-1303:
---------------------------------------
Solution I decided to use in production was to replace all '%' with '*' so that
the URL is not touched by the framework encoder/decoder. This leaves the URL
nice-looking and works with Tomcat 6.0.10 >=:
Encoding:
// encode the URL with url encoder
String encodedText = URLEncoder.encode(text, "UTF-8");
// replace all '*' (which is not encoded by URLEncoder) with corresponding
entity code
encodedText = encodedText.replaceAll("\\*", "%2A");
// Replace all occurences of '%' with '*'
encodedText = encodedText.replace('%', '*');
Decoding:
// replace all occurences of '*' with '%'
String decodedText = encodedText.replace('*', '%');
// decode with URLDecoder (decodes also occurences of "%2A' to '*'
decodedText = URLDecoder.decode(decodedText, "UTF-8");
> Slash separated URL's cannot have URL parameters with value containing
> forward slash '/'
> ----------------------------------------------------------------------------------------
>
> Key: WICKET-1303
> URL: https://issues.apache.org/jira/browse/WICKET-1303
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.3.0-final
> Environment: Tomcat 6.0.14, Firefox 2.0.0.11, Windows XP SP2
> Reporter: Mika Salminen
> Priority: Minor
>
> There seems to be an issue with URL parameters encoded into path in form
> "/page/param1/val1" with handling parameter values with forward slash ('/').
> The slash is correctly URL-encoded to entity '%2F' so that for example
> parameter key/value pair 'foo' => 'b/a/r' is encoded into url like:
> '/page/foo/b%2Fa%2Fr'. The problem is that Tomcat returns error or empty page
> with this url.
> I tested and researched a little bit and found out that this is Tomcat
> related issue. In versions >= 6.0.10 Tomcat does not allow entities '%2F' and
> '%5C in path by default so it responds with error (or empty page) when it
> encounters one of them in URL's path part. More information can be found on
> http://tomcat.apache.org/security-6.html, under header "Fixed in Apache
> Tomcat 6.0.10". I tried according to the document to turn system property
> org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH to true, to allow
> encoded slashes in path, and got the request with '%2F' in path through.
> I think that PageParameters in wicket should be easy to use, so that user
> does not have to worry about the contents of the parameter, so something
> should be done to this issue.
> I managed to get around this issue by double encoding the parameter values
> with URLEncoder. I encoded the PageParameter map parameter values with
> URLEncoder and replaced all occurences of '%' in resulting text with '='
> before passing it forward. So only entity that is left to be encoded by the
> framework (AbstractRequestTargetUrlCodingStrategy) is '=' which becomes "%3D"
> so "foo" => "b/a/r" becomes encoded in URL like: "/page/foo/b%3D2Fa%3D2Fr".
> Decoding of URL is done by opposite operation sequence: framework decodes the
> parameter for me to form b=2Fa=2Fr and after that I replace '=' with '%' and
> the replaced string is further decoded with URLDecoder. Not very beautiful
> solution but seems to work as a quick fix and leaves non-special characters
> unaffected. As a little downside two extra characters are needed to encode
> every special character.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
